Allow upload package to S3 using the indicated role

[tuukkamustonen]

Looks like Zappa uploads the artifact to S3 as current user instead of using the defined role?

With zappa_settings.json:

{
    "production": {
        "app_function": "linkportal.app",
        "s3_bucket": "musttu-zappa",
        "manage_roles": false,
        "role_name": "my-custom-role"
    }
}

14:09 $ zappa deploy production
Packaging project as zip...
Warning! Your project and virtualenv have the same name! You may want to re-create your venv with a new name, or explicitly define a 'project_name', as this may cause errors.
Uploading linkportal-production-1476788948.zip (7.2MiB)...
  0%|           | 0.00/7.54M [00:00<?, ?B/s]
Failed to upload linkportal-production-1476788948.zip to musttu-zappa/linkportal-production-1476788948.zip: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Unable to upload to S3. Quitting.

In our corporation, we users have only read-only permissions and we use assume-role to obtain more permissions when we need them.

[Miserlou]

The role_name is for the execution role of the remote Zappa function, the local role should be defined your aws credentials.

[Miserlou]

https://github.com/Miserlou/Zappa#using-custom-aws-iam-roles-and-policies

[tuukkamustonen]

@Miserlou Thanks for the pointers. I am a bit lost here, though:

the local role should be defined your aws credentials.

By "local role", do you mean the roles/permissions bound to my user default authorization (determined as [default] in ~/.aws or as AWS_* env variables)? That is exactly the problem here - by default I only have read-only access to AWS. I guess I need to assume other role (with write access to S3 bucket), but in that case I need to know what permissions I need to attach to that role? At least uploading to S3 bucket...?

Also, could you clarify what are attach_policy and assume_policy files in config? If these are specified, will Zappa create them or what will actually happen... or, I didn't think/know that you can assume policies on-the-fly? Or, are attach_policy and assume_policy what is attached to created role if manage_roles is enabled?

[Miserlou]

Yeah, your local AWS credentials file. It assumes default by default, but you can specify a different one with "profile_name": "your-profile-name", in your zappa_settings.

You will always need to be able to upload to an S3 bucket to use Zappa, so I think creating the attaching the ability to do that for the local user is outside the scope of Zappa itself, you should simply have an account that has the ability to upload to a location in your code bucket, I don't see why that needs to be dynamic.

Re: the remote policy, discussion is still happening here: #244
If manage_roles is enabled, it will create them, either from the default, or from the user-supplied templates in those settings. That's all for remote settings though.

Make sense? Am I missing something?

[Miserlou]

Also possibly relevant: https://github.com/bjinwright/zops

[tuukkamustonen]

Make sense? Am I missing something?

Yeah, it makes sense. So "local role" (=the default role/user/principal used) must have permissions listed in #244 (comment).

And zappa role (role_name) must have policies presented in #244 (comment). Those are the defaults, so there shouldn't be need to define custom attach_policy and assume_policy. Correct me if wrong.

I guess I got confused by this in bit in readme:

By default, the Zappa client will create and manage the necessary IAM policies and roles to DEPLOY and execute Zappa applications.

While actually Zappa will only create the role/policies needed to execute/run the applications. Deploying is done using credentials that you have active (profile_name).

Did I get it right now?

[Miserlou]

Yes. I will update the documentation to clarify that. Sorry for the confusion.

[tuukkamustonen]

Alright, I think we are done here. Thanks for prompt support!